IEEE Technology and Society Magazine - December 2020 - 61

organizations all rely on computer systems every day.
Personal identification data, social security numbers,
credit card details or bank account information, and
many more sources of sensitive personal information
may easily be stolen if an individual with malicious
intent comes across them. Moreover, hackers are
becoming increasingly sophisticated, hacking tools are
widely available, and more and more smart devices are
connected to the Internet. Is the dreadful disaster just
one click away?
Luckily, citizens are not necessarily doomed to face
disaster, as the myriad of cybersecurity threats seems
to balance with plenty of " good guys " - IT specialists,
scientists, criminologists, companies, white-hat hackers, cyber militia, and many more individuals and organizations who work hard and try to be a step ahead of
the cyber threat actors [1], [2]. Recently, in order to protect people on yet another level, the cybersecurity
issues have also been addressed by legal regulations, the most significant of them being the
Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on
the protection of natural persons with
regard to the processing of personal
data and on the free movement of
such data, and repealing Directive
95/46/EC, or the General Data Protection Regulation (GDPR) [3].
One might suppose that both
the world of cybersecurity measures and policies such as the
GDPR go side by side. However, it
is not always that obvious. For
instance, intrusion detection
tools, which are often the means
of helping to achieve GDPR compliance as such, must be designed
in such a way to be GDPR-compliant
themselves. Thus, this paper deals
with the problem of intrusion detection tools being examined for being (or
rather: not being) GDPR-compliant. This
translates into the following challenge:
what qualities, properties and/or requirements must a stego/malware detection solution
satisfy in order to be GDPR-compliant? We start
here with an analysis of the legal basis and terms
imposed by GDPR. Then it identifies the requirements
that pose a particular challenge for the creators of
stego/malware detection systems in the context of
ensuring GDPR-compliance. Finally, we define a list of
recommendations to follow in order to ensure GDPR
compliance for stego/malware detection tools. We
argue that these recommendations should constitute
DECEMBER 2020

∕

the basis for policy formulation for several actors in the
" cyber ecosystem, " such as public authorities, national
CSIRTs, and private CERTs, as well as for law enforcement agencies and data protection bodies.

GDPR - Overview and the Legal Background
The General Data Protection Regulation (GDPR), is a
European Union's regulation that after being passed by
the European Parliament in 2016 came into force on
May 25, 2018 [4]. It is the toughest privacy and security
law in the world as it imposes obligations onto organizations anywhere, as long as they process data related to
people in the EU and EEA. The five key GDPR takeaways
are: penalties, consent, privacy by design, data breach
notification, and pseudonymization [4].
One of the pieces of the GDPR compliance puzzle are
information security tools, as they help protect consumer
data privacy. In order to be GDPR-compliant, numerous
organizations employ a myriad of cybersecurity measures in order to prevent breaches and attacks, and keep
the data they store safe, such as data discovery and classification tools, encryption and data masking solutions,
incident response, and case management framework and
malware/stegomalware detection tools. This paper discusses the last of the aforementioned measures. Malicious software (malware) is the term used to describe
one of the cybersecurity threats, i.e., programs that have
been designed to produce harmful and undesirable
effects, including viruses, worms, Trojan horses, and spyware [5]-[7]. One of the recent phenomena is the socalled stegomalware, which is the type of malware where
steganographic capabilities are employed to hide malicious components in order to evade detection and make
security analysis more challenging [8]. Undoubtedly,
when malware/stegomalware steals personal data without the data subject's consent, it breaks the GDPR and a
number of other laws and regulations.
Thus, malware/stegomalware detection tools should
be perceived only as a means of achieving GDPR. However, a kind of paradox arises: malware/stegomalware
detection tools rely on processing data themselves [9].
Unsurprisingly, the data in question is likely to comprise
personal data as well. Thus, it turns out that cybersecurity solutions that are an essential element of being
GPDR-compliant, are also directly addressed by the
GDPR. This means that according to the law, the tools
must be fully GDPR-compliant. Could one suppose they
are always compliant by default, though?
As indicated by [10], " EU data protection law stands
on a dual footing: on the one hand, it strives to facilitate
the free flow of personal data; on the other hand, it
makes the free flow of personal data subject to conformity with legal requirements that are derived from the
fundamental rights character of the right to privacy and

IEEE TECHNOLOGY AND SOCIETY MAGAZINE

IEEE Technology and Society Magazine - December 2020

Table of Contents for the Digital Edition of IEEE Technology and Society Magazine - December 2020